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(57) Abstract: A method 
for permitting the secure 

transmission of electronic 
messages by using bionietric 
certification is provided. 
Enrolled flngeiprint features 
sets, which have been 
uniquely modified for a 
particular person with whom 
messages will be exchanged, 
are cross-enrolled between 
the sender and receiver 
such that the biometric 
identity of both the sender 
and receiver can be 
checked during message 
sending and receiving. 
In one embodiment, the 
sender provides a live-scan 
fingerprint feature set which 
is subtracted from the 

enrolled fingerprint feature set of the sender to create a "difference key" or "difference key" that is used to encrypt the message 
and other fingerprint data. The receiver decrypts the sender's live-scan fingerprint feature set that is then used to reconstruct the 
difference key, which is then used to deciypt the message. Another embodiment of the present invention provides additional 
security by requiring a four stage exchange between the sender and receiver, with the following stages: 1) the sender provides a 
sender* s first encrypted fingerprint; 2) the receiver confirms the identity of the sender and provides a receiver's first fingerprint 
that is used to generate a receiver's difference key which is used to re-enciypt the sender's first fingerprint, and sends the both 
encrypted fingerprints back to the sender; 3) the sender confirms the identity of the receiver's first fingerprint and by recreating the 
receiver's difference key and decrypting the sender's first fingeiprint and comparing it with the original; the sender then provides a 
second fingerprint and creates a sender's difference key, which is used to encrypt the sender's second fingerprint and the message; 
the sender then transmits the encrypted fingerprints and the message to the receiver, 4) the receiver again confirms the identity of 
the sender by decrypting the receiver's first fingeiprint and comparing it with the original and by using the difference key of the 
receiver to decrypt and match the second fingerprint of the sender, the receiver then decrypts the message with the difference key of 
the sender. A third embodiment of the present invention provides for biometric identity 
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certification and secure voice and data messaging over cellular telephones and other real time two way communications channels. 
Each cellular telephone must be equipped with fingerprint or other biometric sensor. Asymmetrical public-private key encryption 
and decryption enables secure transmission of biometric and partial "difference key" data. Enrolled fingeiprint feature sets are stored 
on a secure "Identity Server" on the cellular network. The Identity Server is able to provide remote verification of the identity of each 
caller. The Identity Server also provides encrypted fingerprint features, which are subtracted from live-scan fingerprint features of 
each caller, allowing separate difference keys for each caller to be generated. The difference keys are used to scramble or unscramble 
the audio or other data transmitted over the cellular telephone network. 
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METHOD FOR BIOMETRIC ENCRYPTION OF EMAIL 

Technical Field 

This invention relates to a method of certifying the identity of both the 
5 sender and the receiver of electronic messages by means of biometric 
infonnation such as fingerprints. 

Background 

Related art includes United States Patent No. 5,541.994: ("the '994 

10 patent") which issued 30 July, 1996 for an invention called "Fingerprint 
controlled public Icey cryptographic system." The '994 patent shows a 
fingerprint used to generate a unique number for generating public and 
private keys by .manipulation of the fingerprint image data. A filter is 
generated from the Fourier transform of the fingerprint and the unique 

15 number; the filter is later used with the Fourier transfonn of the fingerprint and 
a spatial light modulator to retrieve the unique number and decrypt a 
message. Unlike the present invention, the '994 patent depends on filters, 
Fourier transfomis and optical computing techniques. 

Related art also includes United States Patent No. 5,712.912: ("the 

20 '912 patenf) which issued 27 January, 1998 for an invention called "Method 
and apparatus for securely handling a personal identification number or 
cryptographic key using biometric techniques." The '912 patent is for a 
method and apparatus using biometric Information (such as a fingerprint, an 
Iris structure, etc.) as a cipher for encrypting and decrypting a personal 

25 identification number (PIN). To decrypt the PIN, a full-complex spatial light 
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modulator is illuminated with an optical beam canying the Fourier transfomi of 
the biometric image of an individual fingerprint to be identified. Unlike the 
present invention, the '912 patent depends on Fourier transforms and optical 
computing techniques and the method for encrypting the PIN is not specified. 
5 Related art also includes United States Patent No. 5,737,420: ("the 

'420 patent") which issued 7 April, 1998 for an invention called "Method for 
secure data transmission between remote stations." The '420 patent is for a 
method for pennitting the secure handling or data between two remote 
stations firstly involves the generation of an encrypted decryption key which is 

10 based on a fingerprint infomnation signal from a user of a first station, a 
fingerprint information signal from a user of a second station, and a key 
representing function derived from a random key. The encrypted decryption 
key is of the type with the property that when it is written to a spatial light 
modulator (SLM) of an optical correlator, the ou^ut of the correlator is similar 

15 when input with either one of the fingerprint infomnation signals. A message . 
encrypted with the key may be decrypted at either station by retrieving the 
encrypted key, writing the encrypted key to a filter of an optical correlator, 
inputting one of the fingerprint information signals to the correlator in order to 
allow recovery of the decryption key, and applying the decryption key to the 

20 encrypted message. Unlike the present Invention, the '420 patent depends on 
filters, and optical computing techniques. 

Summary of the Invention 

The invention describes an algorithmic method to provide biometric 
25 security to electronic messages, such as electronic mail (also known as 
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email), certifying tlie physical identity of both the sender and receiver. The 
Worfd V\^de Web or Internet allows any computer workstation to communicate 
with any other workstation through a variety of network connections. One 
common forni of network communications is electronic mail or "email," which 
5 is now a widely used communications means. However, email is generally not 
secure or private. Although public key / private key encryption tools are 
available, such as PGP (Pretty Good Privacy), such encryption Is slow and 
does not securely link a message to the identity of the sender or confirm that 
the correct person has viewed it. Digital certificates can help verify the origin 

10 of a message, but not generally the personal identity of the recipient. 
Fingerprint biometrics (or any other biometric) can be used to add convenient 
security to email, by augmenting public key or other encryption and/or 
replacing digital certificates. 

All embodiments of the present invention employ biometric feature 

15 sets, also known as templates, which are well known to those skilled in the art 
of biometric identification. A biometric feature set is any biometric identifier file 
that includes sufficient salient aspects of the biometric to allow identification of 
the individual person. For example, a fingerprint feature set may typically be 
comprised of "minutiae", which are usually understood to be the locations and 

20 orientations of bifurcations and tenninations of fingerprint ridges. However, 
any other features of the fingerprint may also be included in a fingerprint 
feature set, such as curvature, ridge count, ridge distance oirvature between 
points, or the shape of pattems in the fingerprint. In a similar fashion, a 
bioniebic feature set for any other type of biometric system, such as those 
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based on the details of the iris of the human eye or the dimensions of the 
human hand, may be employed. 

The present invention requires both the sender and the receiver to 
cross-enroll biometric feature sets. Alternatively, the sender and receiver may 
5 enroll biometric feature sets on a server connected to a network. For 
fingerprint enabled messaging, the objectives are that the sender must be 
confident that only the intended individual is able to decode the message, and 
the receiver must be confident that the message originated from a known 
sender. Therefore, both sender and receiver must be equipped with a 

10 fingerprint sensor and must be cross-enrolled on each other's computer or 
other infomnation processing device; altematively both the sender and 
receiver must be enrolled on a networi< server. This allows confimnation of 
identity of both parties at both ends of a message exchange. In addition, it 
allows user-specific encryption of messages. Cross-enrollment depends on 

15 public key infrastructure (PKI) cryptography (or other asymmetric 
public/private key cryptography), or the use of a secret key to transmit or 
deliver a biometric identifier file, which is a user's "enrolled fingerprint feature 
set" (typically a minutiae file) that has been uniquely modified for each 
recipient so that only the designated individual can employ it for messaging. 

20 Both the sender and the receiver must store the modified enrolled feature 
sets of the other individual with whom secure messages will be exchanged, or 
the modified enrolled feature sets must be stored on a network sender. A 
modified enrolled fingerprint feature set is only slightly changed, so that it still 
can be used to match fingerprints and identify an individual. 
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In the first embodiment of tiie invention, the sender will compose a 
message, which may include addHionai files or data of any type attached to 
the message. The sender will then initiate sending the message with a live- 
scan of the sender's fingerprint, which is then stored as a live-scan fingerprint 
5 feature set. The stored modified enrolled fingerprint feature set of the sender 
(which was previously sent to the receiver during cross-enrollment) is then 
retrieved (or derived again); the sender's two fingerprint feature sets are then 
used to derive the sender's "difference key" or "hidden key". The sender's 
live-scan feature set is then encrypted using the public key of the receiver. 

10 The "difference key" is then used to encrypt the modified enrolled fingerprint 
feature set of the receiver (which has previously been cross-enrolled and 
stored on the sender's hard drive). The "difference key" is also used to 
encrypt the message. When the message is sent it will have four parts, 1 ) an 
unencrypted header Oust as a standard email does); 2) the sender's iive-scan 

15 fingerprint feature set (encrypted using the receiver's public key); 3), the 
receiver's enrolled feature set (encrypted with the "difference key"), and; 4) 
the message itself (also encrypted witii "difference key"). 

All embodiments of this invention employ a novel "difference key" 
which is a highly secure biometric "hidden key" derived from two encrypted 

20 fingerprint feature sets which are sent at different times (one during cross- 
enrollment and one with the message). The "difference key" is never sent or 
exchanged between the sender and the receiver, but is always derived during 
the decryption process. In the preferred embodiments, the "difference key" is - 
derived from the live-scan (real-time) fingerprint feature set of the sender and 

25 the stored modified enrolled fingerprint feature set of the sender. A difference 
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key may also be derived from infomfiation subsets of fingerprint feature sets. 
The "difference key" is therefore truly random, since it embodies variations in 
how a live-scan fingerprint is presented to the sensor. 

The "difference key" is calculated from the difference between the 
5 fingerprint feature set of a live-scan of the sender (collected at the time of 
sending the message) and the modified enrolled fingerprint feature set of the 
sender (which was previously sent to the receiver during cross-enrollment). 
The "difference key" is thus a precise number (or set of numbers) that Is used 
as a secret encryption or decryption key for the actual message. Each 

10 "difference key" is unique and can be calculated only at the point of origin and 
at the point of reception of the message, and can be made Invisible to both 
sender and receiver. The "difference key" is also specific to the message 
being sent and thus is usable one time only. 

Upon receiving the electronic message, the receiver will use a 

15 fingerprint to activate the process of decoding of the message; a match of the 
receiver's live-scan fingerprint feature set will enable retrieval of the receiver's 
private key. which is used to decrypt sender's live-scan fingerprint feature set 
(which was encrypted using the receiver's public key). The sender's live-scan 
fingerprint feature set is then matched against the stored modified enrolled 

20 fingerprint feature set of the sender (which was previously sent to the receiver 
during cross-enrollment), validating the identity of the sender. 

Once the sender's identity is confimned, the "difference key" is 
reconstructed by subtracting the sender's live-scan fingerprint feature set 
from the sender's modified enrolled fingerprint feature set. The "difference 

25 key" is tiien used to decrypt the receiver's modified enrolled fingerprint feature 
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set (which was received with the message - not the original unmodified 
version stored on the receiver's hard drive). A second confinnation of the 
sender's identity is optionally performed by comparing the decrypted 
receiver's modified enrolled fingerprint feature set with the stored receiver's 
5 modified enrolled fingerprint feature set (which was sent to the sender during 
cross-enrollment and is specific to the sender); the second confirmation of the 
identity of the sender provides additional protection against identity theft 
fraud. 

it. is essential that the sender's message should only be readable by 

10 the designated receiver. To ensure this, the feature set of the receiver's live- 
scan fingerprint feature set is matched against the decrypted modified 
enrolled fingerprint feature set of the receiver (received with the message), 
validating the receiver's identity for a second time. Once the receiver's identity 
is verified, the "difference key" is used to automatically decrypt the actual 

15 message, and make it available to the receiver. 

An optional process allows for the sender to be given direct 
confinnation that the conrect person has received the message, thus providing 
a kind of electronic "registered mail." To provide affirmative acknowledgement 
of reception, the receiver's live-scan fingerprint feature set is encrypted, 

20 preferably with the "difference key" (or the sender's public key), and 
transmitted to the sender. The sender's computer can then automatically 
decrypt the receiver's iive-scan fingerprint feature set with the "difference key" 
(or the sender's private key); the decrypted receiver's live-scan fingerprint 
feature set is then matched with modified enrolled fingerprint feature set of 

25 the receiver (which was previously cross-enrolled). A successful match of the 
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live-scan fingerprint feature set of the receiver will allow a notification to be 
displayed to the sender that the message has been received and decrypted 
by the proper person. 

In a second embodiment of the invention (which also depends on 
S cross-enrollment of modified enrolled fingerprint feature sets of both the 
sender and the receiver), additional security is provided by a four stage 
process: two stages at sending and two stages at receiving; the sender must 
provide two fingerprints to send the message and the receiver must provide 
two fingerprints to receive the message. A "middle man" attack will require the 

10 attacker to know the private keys of both the sender and receiver, and also 
the modified enrolled fingerprint feature sets of both the sender and receiver 
the attacker must also be able to intercept both sides of a multi-part message 
handshake in order to decode in near real time the live-scan fingerprint 
feature sets of both the sender and receiver, which are required to decode 

15 the "difference key's of both the sender and receiver. 

The process is started when the sender generates a first live-scan 
fingerprint feature set and encrypts it with the public key of the receiver; the 
sender then transmits his/her encrypted first live-scan feature set to the 
receiver, announcing the intent to send a secure message. The receiver then 

20 checks the identity of the sender (for the first time) and responds by 
generating the receiver's first live-scan fingerprint feature set, which is then 
used to create a receiver's "difference key". The receiver then encrypts 
his/her first live-scan fingerprint feature set with the sender's public key, and 
then encrypts the first live-scan fingerprint feature set of the sender with the 

25 receiver's "difference key". Both encrypted feature sets are then sent to the 
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sender, announcing the intent of the receiver to receive a secure message 
from the sender. 

Upon receiving the feature sets from the receiver, the sender uses a 
private Icey (associated with the public Icey of the sender used by the receiver) 
5 to decrypt the first live-scan fingerprint feature set of the receiver. The 
receiver's identity is then checked (for the first time) by matching the 
receiver's first live-scan fingerprint feature set with the receiver's stored 
modified enrolled fingerprint feature set. The sender can then reconstruct the 
"difference key" of the receiver by subtracting the receiver's first live-scan 

10 fingerprint feature set from the receiver's stored modified enrolled fingerprint 
feature set. The "difference key" is used to decrypt the first live-scan 
fingerprint feature set of the sender, which allows confirmation of the 
receiver's identity (for the second time) by comparing it to the original first 
sender's live-scan fingerprint feature set. The public key of the receiver is 

15 then used to re-encrypt the first live-scan fingerprint feature set of the receiver 
(for later transmission). The sender then provides a second live-scan 
fingerprint and extracts a second live-scan feature set; this allows the creation 
of the "diff^erence key" of the sender by subtracting the sender's live-scan 
fingerprint feature set from the sender's modified enrolled feature set (that 

20 was previously modified for the specific receiver and cross-enrolled with the 
receiver). The "difference key" is then used to encrypt both the message and 
the second live-scan fingerprint feature set of the sender. The sender tiien 
transmits to the receiver the re-encrypted receiver's first live-scan fingerprint 
feature set, the encrypted message and the encrypted sender's second live- 

25 scan fingerprint feature set 
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Upon receiving tlie encrypted message and feature sets, tlie receiver 
provides a second live-scan fingerprint and extracts a second live-scan 
fingerprint feature set, to initiate the decryption process; if the receiver's 
second live-scan fingerprint feature set does not match the receiver's stored 
5 enrolled fingerprint feature set, then the receiver is not valid and the 
decryption process stops. If the receiver's second live-scan fingerprint feature 
set is valid, the receiver then confinns the sender's identity (for a second 
time) by using a private key (associated with the receiver's public key used by 
sender) to decrypt the receiver's first live-scan fingerprint feature set, which is 

10 then matched against the original receiver's fii^t live-scan fingerprint feature 
set. The receiver then reconstructs (or retrieves) the "difference key" of the 
receiver and decrypts the sender's second live-scan fingerprint feature set. 
The sender's identity is confimied (for a third time) by matching the sender's 
second live-scan fingerprint feature set with the sender's stored modified 

15 enrolled fingerprint feature set (which was previously cross-enrolled with the 
receiver). The "difference key" of the sender is then reconstructed by 
subtracting the sender's second live-scan fingerprint feature set fiom tiie 
sender's stored modified enrolled fingerprint feature set. The "difference key" 
of the sender is then used to decrypt the message and display it to the 

20 receiver. 

An optional process allows for the sender to be given direct 
confirmation that the con'ect person has received the message, thus providing 
a kind of electronic "registered mail." To provide affinnative acknowledgement 
of reception, the receiver's second live-scan fingerprint feature set is 
25 encrypted, preferably witii tiie "difference kdy" of the sender, and ti^nsmitted 
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to the sender. The sender's computer can then automatically decrypt the- 
receiver's second llve-scan fingerprint feature set with the "difference key" of 
the sender; the decrypted receiver's second live-scan fingerprint feature set is 
then matched with modified enrolled fingerprint feature set of the receiver 

5 (which was previously cross-enrolled). A successful match of the second live- 
scan fingerprint feature set of the receiver will allow a notification to be 
displayed to the sender that the message has been received and decrypted 
by the proper person. 

In a third embodiment of the invention, the "difference key" algorithm 

10 subroutine Is adapted for use on a cellular telephone networic. As an 
alternative to cross-enrollment, which may be impractical for cellular 
telepliones, a secure Identity Server is maintained on the cellular network. 
The identity Server has databases for names and numbers, public keys of 
network users, and fingerprint data of networic users. The infbmiation in the 

15 Identity Server databases allow cellular telephone users to verify Identity 
without storing any direct biometric information in the cell phone. The Identify 
Server can automatically provide biometric verification of the identity of other 
users on the cellular networic, or to other entities extemally connected to the 
network (such as banks or commercial corporations). The Identity Server can 

20 also provide biometric infbmnatlon, such as centroids and feature counts, 
which will allow remote cellular telephone users anywhere on the networic to 
employ "difference keys" to encrypt or decrypt audio or other data from and to 
cellular telephones, allowing secure real-time conimunlcations. 

In order to be registered on the Identity Server database, each cellular 

25 telephone on the networic must be equipped with a biometric input device. 
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such as a fingerprint sensor. The first time the cellular telephone is used, in a 
one-time registration procedure, the user must pro>nde a biometric feature set 
(such as a fingerprint feature set) to the Identity Server database. To do this, 
the cellular telephone will first automatically generate PKI (public key 
S infrastructure) or other asymmetric public and private keys for the particular 
telephone and user (or the PKI keys may be uploaded to the cellular 
telephone). The user then presents several fingerprints of the same finger, 
and the enrolled FP feature set is generated. A call is then placed to the 
Identity Server, which provides the PKI public key of the Identity Server (and 

10 also the asymmetric public signature key of the Identity Server, which is later 
used to verify the origin of messages from the Identity Server). The enrolled 
FP feature set of the user is then encrypted with the PKI public key of the 
Identity Server, and the feature set is tiien transmitted to the Identity Server 
along with the name, number and PKI public key of the user. Finally, all FP 

15 feature sets are deleted from the cellular telephone, leaving no biometric 
information on the telephone. 

Once a user is registered on the Identity Server, secure calls may be 
placed to any other registered user on the cellular networi<. Optionally, a user 
may use a password to tum on the cellular telephone (which Is standard 

20 option with many cellular telephones cunrently in service). The user must flien 
simply dial the telephone number of another user (or receive a call) and 
present a fingerprint to the sensor on tiie cellular telephone. Three levels of 
security are therefore provided: 1) what the user knows (a password), 2) what 
the user possesses (tiie registered cellular telephone) and 3) tiie biometric of 

25 the user (a fingerprint). 
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When a user places or receives a call, the cellular telephone and tiie 
Identity Server will execute an algorithm to validate the identity both of the 
users on the call, and to provide streaming encryption and decryption of 
cellular telephone audio, or other data. The algorithm is designed to leave no 

S direct biometric data on a cell phone, and to use minimal bandwidth for 
fingerprint data. No third party, including the Identity Server, can decrypt the 
conversation - all calls are uniquely encrypted and each user employs a 
separate encryption/decryption key. 

The cellular telephone, algorithm may be divided into five segments. 

10 The first segment covers the two user actions needed to initiate or receive a 
cell phone call. In addition to the usual dialing sequence, the first user is 
required to present a fingerprint (which is automatically converted into a live- 
scan FP feature set). Nothing more is required of the first user. 

In the second segment of the algorithm, the Identity Server provides 

15 confirmation of the identity of both users in cellular telephone connection. 
Firstly the PKI public key of the Identity Server is used to encrypt tire 
(unmodified) live-scan FP feature set of the first user, which is then sent to 
the Identity Sender. The Identity Server then decrypts live-scan FP feature set 
of the first user (using the private key of the Identity Server) and matches it 

20 against the stored enrolled FP feature set of the first user; a match will result 
in a secure message being sent to second user (who is talking with the first 
user) of identity validation of the first user. The second user will use a similar 
process, and the Identity Server will provide identity validation of the second 
user to the first user. This process of identity validation of both cell phone 

25 users by the Identity Server, provides a basis for transaction security over a 
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cell phone network. For example. It is possible for the Identity Server to notify 
other parties, including e-commerce vendors, and banks, of the valid identity 
of a particular cell phone user. 

In the third segment of the algorithm, the Identity Server provides part 
5 of the necessary data for creating a "difference key" for streaming encryption 
and decryption of telephone calls. The Identity Server will randomly modify 
, the enrolled FP feature sets of both users, extract the centroids (or other 
derived infbnnation about the FP feature sets), double encrypt the centroids 
(with the private signature key of he Identify Server and the public keys of the 

10 users) and send the encrypted centroids to both of the users. [Alternatively, 
the Identify Server can extract the centroids (or other derived Infonnation 
about the FP feature sets) of the FP feature sets and then randomly modify 
the centroids and then double encrypt the centroids and send the encrypted 
centroids to both of the users.] The first user then receives and decrypts the 

15 centroid data of both users (by using the PKI private key of the first user and 
the public signature key of the Identify Server - thus verifying that the data 
originated from the proper Identify Server). The identify Server also provides 
the encrypted public key of the second user (or any other user); the Identify 
Sen/er is the only source of user public keys, further confinning that a false 

20 Identify Server is not being used. 

The fourth segment of the cellular telephone algorithm creates the 
"difference key" of the first user, which is used to for streaming encryption 
(scrambling) of audio generated by the first user. The live-scan FP feature set 
of the first user is then modified by using a random numben this modification 

25 of the live-scan feature set blocks the Identify Server firom decrypting 
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messages. The centroid (and/or other derived information such as feature 
count) of the modified live-scan FP feature set of the first user is then 
calculated. [Altematively, the first user can extract the centroid (or other 
derived information) of the live-scan FP feature set and then randomly modify 
5 the centroid.] All versions of the live-scan FP feature sets of the first user are 
then deleted from the cell phone, leaving no biometric data on the phone. The 
centroid of the live-scan FP feature set of the first user Is then encrypted with 
the public key of the second user and sent to the second user. The, 
"difference key" of the first user is then created from the centroids of the live- 

10 scan and the enrolled FP feature sets of the first user. The "difference key" of 
the first user is then used for streaming encryption (scrambling) of the audio 
(or other data) generated by the first user, which is then transmitted to the 
second user. The difference key is used one time only for each call and is 
thus relatively secure. 

15 The fifth segment of the cellular phone algorithm reconstructs the 

"difference key" of the second user, which is used for unscrambling audio 
generated by the second user. The first user receives from the second user 
the encrypted centroid of the modified live-scan FP feature set of second user 
(provided for the current call only), and decrypts it with the private key of the 

20 first user. The first user also recalls the previously decrypted centroid of the 
modified enrolled FP feature set of second user (received from the Identity 
Server). The "difference key" of the second user is then reconstructed fix}m 
the centroids of the modified live-scan and the modified enrolled FP feature 
sets of second user. The "difference key" of the second user is then used for 

25 streaming decryption (unscrambling) of the audio from the second user. 
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Brief Description of Figures 

Furtiier objects, features and advantages of the present invention wiil 
become more readily apparent to those skilled in the art from the following 
5 description of the invention when taken In conjunction with the accompanying 
drawings, in which: 

Figure 1 shows networked computers connected to the Internet, each 
computer having a biometric input device. 

Figure 2 shows an algorithm flow chart for cross-enrollment of 
10 biometric identifier infonnation between two users. 

Figure 3A shows a sample algorithm flow chart for generating a 
modified enrolled fingerprint feature set. 

Figure 3B shows a sample algorithm flow chart for generating a secret 
"difference key" which Is derived from two fingerprints and Is used to encrypt 
15 and decrypt messages. 

Figure 4 shows an algorithm flow chart for sending a biometrically 
secured message in a single transmission. 

Figure 5 shows an algorithm flow chart for receiving a biometrically 
secured message in a single transmission. 
20 Figure 6 shows an algorithm flow chart for sending a biometrically 

secured message in two stages, and for receiving a tjiometrically secured 
message in two stages. 

Figure 7 shows an Identity Server database connected to a cellular 
telephone network. 
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Figure 8 shows an algoifthm flow chart for biometricaily enrolling the 
user of a cellular telephone on a cellular network. 

Figure 9 shows an algorithm flow chart for a biometricaily secured call 
on cellular network. 

5 

Detailed Description of Preferred Embodiments 

The temfis "user", "sender^ or "receiver^ in the context herein refers to 
the individual or to his/her computer or any device equipped to execute the 
steps described, depending on the context. Such other devices include 

10 cellular telephones, personal digital assistants and the like. 

Figure 1 shows computer workstations 100-150, which are networiced 
directly 160 or connected 170 to the World Wide Web Internet "cloud" 180. 
Each wori<statlon has a blometric Input device 105-155, which can be a 
fingerprint sensor, or any other biometric input device such as an iris eye 

15 feature scanner, facial recognition sensor, voice recognition sensor, or any 
other biometric sensor. For all embodiments of the present invention,- 
fingerprint biometrics are given as an example, but any other biometric 
identification system may be equally used. An individual person at any 
workstation 100-150 can send electronic mail, sometimes known as "email," 

20 to any other person on a nefwortc 160 or over a connection 170 through the 
Intemet 180. The fingerprint sensor provides a biometric input, unique to 
each individual, which can be used to certify identify of both the sender and 
the receiver for electronic messaging or "email." Biometric certification can 
also be used to augment other known security means such as encryption 

25 using public key / private key systems. 
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Figure 2 provides an algoritlimic flow cliart for securely exclianging 
enrolled fingerprint feature sets between two users, for later use in 
biometrically certified messages. Both the sender and the receiver must be 
cross-enrolled on each other's computer to allow confinnation of identify of 

S both parties at both ends of a message exchange. The process of cross- 
enrollment starts at step 200, where the first user enrolls a fingerprint on a 
computer system. Enrollment will typically use one or more fingerprints to 
attain a robust enrolled fingerprint feature set of the most significant features 
of the fingerprint for identification purposes. The first user then modifies the 

10 enrolled fingerprint feature set uniquely and specifically for each person from 
whom messages will be received (step 205). 

Figure 3A shows the algorithmic flow chart subroutine for modifying the 
enrolled fingerprint feature set of the user. Starting with step 300. the centroid 
of the fingerprint is determined from the relative positions of the features of 

15 the fingerprint in the image. A random number is used to generate a 
displacement vector (step 310) to slightly shift or displace all features of th& 
enrolled fingerprint feature set by a random displacement vector (step 320). 
The modified enrolled fingerprint feature set is then assigned to a specific 
person with whom messages will be exchanged (step 330). Many uniquely 

20 modified enrolled feature sets, one (or more) for each person with whom 
messages will be exchanged, may be created and securely stored. Obviously, 
many other methods may be employed for modifying an enrolled fingerprint 
feature set, such as simply deleting or altering a feature in the set. The 
objective of modifying the enrolled feature set is to change the feature set 

25 uniquely, without significantly compromising the use of the feature set for later 
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fingerprint matching purposes. Optionally, it is also possible to cross-enroll (as 
outlined in Figure 2) unmodified enrolled fingerprint feature sets, but this will 
result in a less secure messaging system (since the same enrolled fingerprint 
feature set will exist on many computers and thus can be more easily stolen). 

5 Figure 2 also shows that the first user must establish a private 

signature key with an associated public signature key, which Is sent to the 
second user (step 207); a message which is encrypted by first user with the 
private signature key (and thus 'signed') may only be decrypted with the 
associated public signature key. proving that the message originated from the 

10 first user. 

The second user then receives the public signature key of the first user 
(step 208); altematively, the second user may retrieve the public signature 
key of the first user from a public key server. The second user then checks 
the validity of the public signature key of the first user (step 209) by 
15 comparing it to a list of public keys (if available). The second user must 
establish a PKI public key with an associated private key (step 210).- 
according to well known means. The second user then sends one (or more) 
PKI public keys to ail persons to whom messages will be sent, including the 
first user (step 21 5). 

20 The first user receives the PKI public key from the second user (step 

220). The first user then creates an enrollment message (step 222) 
comprised of the first user's name, the second user's name the uniquely 
modified enrolled fingerprint feature set (that has been uniquely changed and 
assigned to the specific second user from whom messages will be received) 

25 and a "hash" of some or all of the above information; the hash function any 
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suitable unidirectional hash algorithm such as MD5. The enrollment message 
is then double encrypted (step 225), firstly with the private signature key of 
the first user and secondly with the PKI public key of the second user. The 
first user then sends the double encrypted enrollment message to the second 
5 user (step 230). 

The second user receives the double encrypted enrollment message of 
the first user (step 235) and then decrypts it (step 240) firstly with the private 
key of the second user and secondly with the public signature key of the first 
user. The second user then checks (step 242) if the first user's name and the 

10 second user's name are both conrect; the second user also checks the validity 
of the hash by re-calculating the hash (of the decrypted first and second user 
names and the modified enrolled fingerprint feature set); if the decrypted hash 
(from step 240) is identical with the re-calculated hash, then the enrollment 
message has not been tampered with. The second user then stores the 

IS decrypted modified enrolled fingerprint feature set of the first user for later use 
(step 245). 

The algorithmic flow chart shown in Figure 2 is a general example of 
one-way cross-enrollment, where the first user provides a modified enrolled 
fingerprint feature set to the second user. For two-way exchange of 

20 messages, the cross-enrollment process of Figure 2 must be repeated again 
with first user and second user switching roles, where the second user 
provides his/her modified enrolled fingerprint feature set to the first user. With 
symmetrical two-way cross enrollment, both the first user and the second user 
may send and receive messages that are secured with a biometric certificate, 

23 such as a fingerprint 
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Figure 4 shows an algorithmic flow chart for sending a message with a 
fingerprint biometric certificate. For this algorithmic process, it is assumed that 
both the sender and the receiver have been mutually cross-enrolled, as 
shown in Figure 2. The process begins with the sender composing a 
5 message to be sent (step 400). The sender next provides a live-scan 
fingerprint (of a finger that has been previously enrolled) and extracts a new 
live-scan fingerprint feature set (step 405). The sender next retrieves his/her 
modified enrolled fingerprint feature set, which has been previously modified 
for the specific receiver (and cross-enrolled with the specific receiver) (step 

10 410). As an optional test, the sender's live-scan fingerprint feature set can be 
tested by matching it against the sender's modified enrolled feature set (step 
415). If the match is not satisfactory then the sender can be asked to provide 
a new fingerprint (step 417) and try again for a satisfactory match. Once the 
match of sender's fingerprint is proven, the "difference key" can be created by 

15 subtracting the sender's live-scan fingerprint feature set from the sender's 
modified enrolled fingerprint feature set (which has been previously cross-- 
enrolled with the receiver) (step 420). 

Figure 3B shows an algorithm flow chart for the subroutine that creates 
the "difference key" from any two fingerprints, or from any two fingerprint 

20 feature sets. The process starts by finding the centroids of each fingerprint 
feature sets A and B (step 350). Due to near impossibility of placing two 
fingerprints in exactly the same position on a fingerprint scanner, it is unlikely 
that the centroids will coincide. The next step 360 is to detennine the 
magnitude and direction of the vector between the centroids of the two 

25 fingerprint feature sets, shown as Vector AB. Another simple difference 
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between two fingerprint feature sets is the number of features in each feature 
set. In step 370. Delta AB is calculated, which is the absolute value of the 
difference in number of features in two fingerprint feature sets plus one (to 
ensure a non-zero result). The "difference key" is then fomiulated for 
5 fingerprint feature sets A and B by using the magnitude and direction of 
Vector AB and the magnitude of Delta AB. The "difference key" can be 
maintained and used as a matrix of three numbers, or amalgamated into a 
single number by adding or multiplying (or any other mathematical operation) 
the three numbers. The objective is that the "difference key" must be a unique 

10 number, or set of numbers, detemiinistically derived from two fingerprints or 
fingerprint feature sets. 

Many other algorithms for calculating a "difference key" are possible, 
and the algorithm shown in Figure 3B is by way of example only. Other 
algorithms for calculating a "difference key" between two fingerprints include. 

IS but are not limited to, the following: 

1 ) comparing the relative fingerprint area of two fingerprint feature sets; - 

2) comparing the average grayscale values of two fingerprint feature sets; 

3) comparing the histogram distribution of light and dari< pixels in two 
fingeiprints; 

20 4) comparing the relative or absolute 'jiggle' in the positions of two or 
more matched minutiae points in two fingerprints, 
it is also possible to use different methods of calculating the "difference 
key" for different messages or at different times, thus adding fo the difficulty of 
decrypting the message by unauthorized persons. 
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In Figure 4, once the "difference key" Is created (step 420). the live- 
scan fingerprint feature set of the sender Is encrypted using the public key of 
the receiver (step 425). The "difference key" of the sender is then used to 
encrypt the modified enrolled fingerprint feature set of the receiver, which \Nas 
5 previously cross-enrolled and stored on the computer of the sender (step 
430). The "difference key" Is also used to encrypt the message previously 
composed by the sender (step 435). Finally, the sender transmits the 
message, comprised of an unencrypted header, the public key encrypted live- 
scan fingerprint feature set of the sender, the "difference key" encrypted 

10 modified enrolled fingerprint feature set of the receiver, and the "difference 
key" encrypted message (step 440). 

Figure 5 shows an algorithm flow chart for receiving and decrypting a 
message sent according to the algorithm shown in Figure 4. Starting at step 
500, the message created at step 440 is received. The receiver then provides 

15 a live-scan of a fingerprint and extracts an associated llve-scan fingerprint 
feature set (step 510). The live-scan fingerprint feature set of the receiver is 
then compared to the stored enrolled feature set of the receiver (step 515). If 
the fingerprint feature sets do not match , the receiver will be asked to provide 
a new live-scan fingerprint (step 522). If the receiver's fingerprint feature sets 

20 do match, the private key of the receiver Is retrieved (step 525) (the private 
key of the receiver is associated with the public key sent by the receiver to the 
sender during cross-enrollment). The receiver will then use the private key to 
decrypt the received llve-scan fingerprint feature set of the sender (which was 
previously encrypted by the sender with the public key of the receiver) (step 

25 530). The live-scan fingerprint of the sender is then compared with the 
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sender's modified enrolled fingerprint feature set (which was previously cross- 
enrolled and stored on the computer of the receiver) (step 535). if the feature 
sets do not match (step 540), then receiver is notified that the sender's 
identity cannot be confirmed (step 542) and the process stops (step 544). if 
5 the sender's live-scan and modified enrolled fingerprint feature sets do match, 
then the "difference key" of the sender is reconstructed (step 545) by 
subtracting the sender's live-scan fingerprint feature set from the sender's 
modified enrolled feature set (which was previously cross-enrolled and stored 
on the computer of the receiver). The reconstructed "difference key" is then 

10 used to decrypt the receiver's modified enrolled fingerprint feature set which 
was received with the message (step 550). Not shown in Figure 5, the 
decrypted modified enrolled fingerprint feature set of the receiver can be 
optionally compared to the stored modified enrolled fingerprint feature set of 
the receiver (which was previously sent to the specific sender during cross- 

15 enrollment); if both feature sets are identical, then sender's identity is again 
confirmed by a different means than step 540, providing greater security. 

In step 565, the decrypted modified enrolled fingerprint feature set of 
the receiver is then compared with the live-scan fingerprint feature set of the 
receiver (generated in step 510). If the receiver's fingerprint feature sets do 

20 not match, then a notification is displayed indicating that the receiver's 
identity could not be confinmed (steps 570 and 572) and the process stops 
(step 574). If the receiver's fingerprint feature sets do match, the "difference 
key" is used to deoypt the sender's message, which is then displayed to the 
receiver (steps 570 and 575). 
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Not shown in Figure 5 for clarity is an optional algorithmic subroutine 
that gives the sender direct confimnation that the correct person has received 
the message. The receiver's live-scan fingerprint feature set (generated in 
step 510) is encrypted, preferably with the "difference key" of the sender 
5 (reconstructed in step 545), and transmitted to the sender (after step 575). 
The sender then decrypts the receiver's live-scan fingerprint feature set with 
the "difference key" of the sender (originally created in step 420). The 
decrypted receiver's live-scan fingerprint feature set is then matched with 
modified enrolled fingerprint feature set of the receiver (which was previously 

10 crass-enrolled). A successful match of the live-scan fingerprint feature set of 
the receiver enables a notification to be displayed to the sender that the 
message has been received and decrypted by the proper person. 

Figure 6 shows an algorithm flow chart for sending and receiving a 
biometrically certified message with higher security protection than shown in 

15 Figures 4 and 5. The algorithm shown in Figure 6 requires cross-enrollment of 
modified enrolled feature sets, as shown in Figure 2. The algorithm shown in 
Figure 6 is structured as a multi-part "handshake" between the sender and 
receiver, whereby the sender initiates the process (of steps 600-604) of 
sending a message, the receiver responds (with steps 606-614) indicating 

20 readiness to receive a message, Vne sender prepares and sends (with steps 
616-638) the biometrically encrypted message, and the receiver decrypts 
(with steps 640-654) the message. The benefit of increased algorithmic 
complexity (where two fingerprints of the sender and two fingerprints of the 
receiver are required) is increased security. Two "difference keys" are utilized 
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(of the sender and receiver) and the receiver's identity is confinned twice and 
the sender's identity is confinned three times. 

Figure 6 shows the sender composing a message to be sent (step 
600). The sender then provides a first live-scan fingerprint and extracts the 
5 first live-scan fingerprint feature set which is then encrypted with the public 
l<ey of the receiver and sent to the receiver (step 604). This process 
announces to the receiver that the sender wishes to send a biometrically 
certified message. 

The receiver then decrypts the sender's first live scan fingerprint 

10 feature set with the private key of the receiver (step 606). The sender's 
identity is confimned for the first time by matching the sender's first live-scan 
fingerprint feature set with the sender's stored modified enrolled feature set 
(which exchanged during cross-enrollment). The receiver then provides a first 
live-scan fingerprint and extracts the receiver's first live-scan fingerprint 

15 feature set (step 610). The first "difference key" of the receiver is created by 
subtracting \he receiver's first live-scan fingerprint feature set from the 
receiver's modified enrx)lled fingerprint feature set (step 612). The public key 
of the sender is used to encrypt the receiver's first live-scan fingerprint feature 
set, and the receiver's "difference key" is used to re-encrypt the first live-scan 

20 fingerprint feature set of the sender; both encrypted feature sets are then 
transmitted to the sender (step 614). 

The sender tiien decrypts the first live-scan fingerprint feature set of 
the receiver with the private key of the sender (step 616). The sender then 
confirms the receiver's identity (for the first time) by matching the first live- 

25 scan fingerprint feature set of the receiver with the stored modified enrolled 
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fingerprint feature set of the receiver (which was previously cross-enrolled 
with tiie sender) (step 618). The "difference key" of the receiver is then 
reconstructed by subtracting the first live-scan fingerprint feature set of the 
receiver from the stored modified enrolled fingerprint feature set of the 
5 receiver (step 620). The "difference key" of the receiver is then used to 
decrypt the first live-scan fingerprint feature set of the sender (which was 
previously re-encrypted 614 by the receiver) (step 622). The sender then 
confirms receiver's Identity (for the second time) by comparing the decrypted 
first live-scan fingerprint feature set of the sender with the original (which was 

10 previously extracted 602) (step 624). The sender then re-encrypts the first 
live-scan fingerprint feature set of the receiver with the public key of the 
receiver (Ibr later transmission back to the receiver) (step 626). The sender 
then provides a second live-scan fingerprint and extracts the second live-scan 
fingerprint feature set of the sender (step 628). The sender then retrieves the 

IS modified enrolled fingerprint feature set of the sender that was previously 
modified for the specific receiver (and cross-enrolled with the receiver) (step 
630). The "difference key" of the sender is then created by subtracting the 
second live-scan fingerprint feature set of the sender from the modified 
enrolled fingeiprint feature set of the sender that was previously modified for 

20 the specific receiver (step 632). The "difference key" of the sender is then 
used to encrypt the message (originally composed at step 600 by the sender) 
(step 634). The "difference key" of the sender Is also used to encrypt the 
second live-scan fingerprint feature set of the sender (step 636). Finally, the 
sender transmits to the receiver the re-encrypted first live-scan fingerprint 

25 feature set of the receiver (previously re-encrypted with the receiver's public 
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key at step 626) (step 638), the encrypted message (previously encrypted 
with the "difference key" of the sender at step 634), and the encrypted second 
live-scan fingerprint feature set of the sender (previously encrypted with the 
"difference key" of the sender at step 636). 
S When the receiver receives transmission , the receiver provides a 

second live-scan fingerprint (step 638) and extracts a second live-scan 
fingerprint feature set, which is then matched against the stored fingeiprint 
feature set of the receiver (the receiver must prove his/her identity for the 
decryption process to continue) (step 640). The identity of the sender is then 

10 confirmed (for the second time) by using the private key of the receiver to 
decrypt the receiver's first live-scan fingerprint featire set (previously re- 
encrypted at step 626) and comparing it with the original (generated 
previously at step 610) (step 642). The "difference key" of the receiver is then 
reconstructed by subtracting the receiver's first live-scan fingerprint feature 

IS set (previously decrypted at step 642) from the receiver's modified enrolled 
fingerprint feature set (previously cross-enrolled with the specific sender) 
(step 644). The "difference key" of the receiver could also be recalled from 
the original create at step 612, but reconstmcting it adds additional security. 
The "d'rfference key" of the receiver is then used to decrypt the sender's 

20 second live-scan fingerprint feature set (previously created at step 628 and 
encrypted at step 636) (step 646). The sender's identity is then confimned (for 
a third time) by matching the sender's second live-scan fingerprint feature set 
with the sender's stored modified enrolled fingerprint feature set (previously 
cross-enrolled) (step 648). The "difference key" of the sender is then 

25 reconstructed by subtracting the sender's second live-scan fingerprint feature 
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set from the sender's stored modified enrolled fingerprint feature set (step 
650). The "difference key" of the sender is then used to decrypt the message 
(previously encrypted at step 634) (step 652). The message is then finally 
displayed to the receiver (step 654). 
S Not shown in Figure 6 for clarity is an optional algorithmic subroutine 

that gives the sender direct confinnatibn that the correct person has received 
the message. The receiver's second live-scan fingerprint feature set 
(generated in step 640) is encrypted, preferably with the "difference key" of 
the sender (reconstructed In step 650), and transmitted to the sender (after 

10 step 654). The sender then decrypts the receiver's second live-scan 
fingerprint feature set with the "difference key" of the sender (created in step 
632); the decrypted receiver's second live-scan fingerprint feature set is then 
matched with the modified enrolled fingerprint feature set of the receiver 
(which was previously cross-enrolled and used in step 620). A successful 

15 match of the second live-scan fingerprint feature set of the receiver enables a 
notification to be displayed to the sender that the message has been received 
and decrypted by the proper person. 

Figures 7, 8 and 9 show an embodiment of the invention applied to a 
cellular telephone networic. The purpose of this embodiment is provide 

20 biometrically secure communications of voice audio and other data over 
cellular telephones. 

Figure 7 shows an Identity Server database 700 on a cellular 
telephone network. The purpose of Identity Server is to provide confimiation 
of the identity of cellular telephone users, in place of cross-enrollment 

25 procedure shown In Figure 2. The Identity Server has several databases. 
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including names and numbers of users 710, public keys of users 720 and 
enrolled fingerprint feature sets (or other biometric infomiation) of users 730. 
The Identity Server is connected to cellular telephone users via the standard 
radio frequency links 740. The Identity Server may also connected with users, 
S other sen/ers, and other information services via any other available 
electronic communications links 750 such as cable, fiber optic and/or 
microwave relays. 

Figure 8 shows the algorithm flow chart for registering a single cellular 
telephone of User A on the Identity Server of a cellular networi( (for example, 

10 at the time of purchase). The process starts (step 800) by installing the name 
and number of User A on the telephone; the cellular telephone then 
automatically generates the PKI public and private keys (or any other 
asymmetric public/private key pair system) of User A (by well known 
mathematical processes). [Alternatively the PKI public and private keys of 

IS User A may be generated elsewhere downloaded onto the cellular telephone; 
altematively the PKI public and private keys of User A may be stored on a 
'smart card' or other extemal storage device which can be connected to the 
cellular telephone.] User A then presents one or more fingerprints (or other 
biometric) and an enrolled FP (fingerprint) feature set(s) of User A is then 

20 automatically generated (step 810). A call is then placed (step 820) to the 
Identity Server and the PKI public key and the public signature key (used later 
to verify that messages originate from the Identity Server) of the Identity 
Server are received and stored in the nonvolatile memory of the cellular 
telephone; the private key of User A is also stored in nonvolatile memory. The 

25 enrolled FP feature set(s) of User A are then encrypted with the PKI public 
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key of the Identity Server (step 830). The cellular telephone of User A then 
transmits to the identrty Sender (step 840) the name and number of User A, 
the PKI public key of User A and the encrypted enrolled FP feature set of 
User A; the Identity Sen/er then stores this information about User A in the 

5 appropriate databases. Finally, the unencrypted and encrypted feature sets of 
User A, and the PKI public key of User A are then deleted (step 850) from the 
memory of the cellular telephone of User A, leaving no biometric infomiation 
in the memory of the cellular telephone. 

Figure 9 shows the algorithm flow chart for initiating or receiving a 

10 biometrically secure call (step.QOO) on the cellular telephone of User A. User 
A first provides a fingerprint and generates a live-scan FP feature set (step 
905). The live-scan FP feature set of User A is then encrypted with the PKI 
public key of the Identity Server and the encrypted FP feature set is then 
transmitted (step 910) to the Identity Server. The Identity Server then verifies 

15 the identity of User A by matching the live-scan FP feature set of User A with 
stored enrolled FP feature set of User A, and then sends to User B a 
message (encrypted vwth private signature key of Identity Server and PKI 
public key of User B) stating that the Wentlty of User A has been verified (step 
915). User A then receives from Identity Server (step 920) a double encrypted 

20 message stating that the identity of User B has been verified; the message is 
then decrypted with PKI private key of User A and public signature key of the 
Identity Server (reverse of Step 915). The Identity Server will then randomly 
modify the enrolled FP feature sets of Users A and B, extract centroids 
(and/or other derived infomiation subsets such such as minutiae counts, etc.), 

25 double encrypt centroids (with private signature key of Identity Server and PKI 
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public keys of Users), and send the encrypted centroids to Users A and B 
(step 925). [Alternatively, the Identity Server can extract the centroids (or 
other derived Information subsets about the FP feature sets) of the FP feature 
sets and then randomly modify the centroids and then double encrypt the 
5 centroids and sand the encrypted centroids to both of the users.] User A will 
then receive (step 930) from the Identity Server the double encrypted 
centroids of modified enrolled FP feature sets of Users A and B, and the PKI 
public key of User B (all encrypted with the private signature key of Identity 
Server and the PKI public key of User A); User A will then decrypt the 

10 centroids of Users A and B and the PKI public key of User B with PKI private 
key of User A and with the public signature key of Identity Server. Optionally, 
ail messages from the Identity Server may be additionally hashed (by a hash 
algorithm such as MD5); User A may re-hash the decrypted message from 
the Identity Server and compare it to the transmitted hash; an exact match of 

IS the of the re-hash with the transmitted hash ensures that messages from the 
Identity Server have not been tampered with. 

Steps 935 through 960 of Figure 9 shows the algorithmic sequence 
used to create the "difference key" of User A, which is used to scramble (by 
'streaming encryption') the digital audio and other data generated by the 

20 cellular telephone of User A. The live-scan FP feature set of User A is 
modified (step 935) using a random number (derived, for example, from the 
number of minutiae in the fingeiprint and/or the time taken to gather the 
fingerprint); the modification of the live-scan FP feature set of User A is similar 
to the algorithm shown in Figure 3a and prevents the Identity Server frorii 

25 being able to decrypt speech and messages from User A. Next, the centroid 
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(and/or, optionally, other derived information subsets sucli as minutiae count) 
of the modified live-scan FP feature set of User A is calculated (step 940). 
[Alternatively to steps 935 and 940, centroid (or other information subset) of 
the live-scan FP feature set of User A could be calculated first, and then 

5 modified using a random number.] The centroid of the modified live-scan FP 
feature set of User A is then encrypted (step 945) with the PKI public key of 
User B and sent to User B. All versions of the live-scan FP feature set of User 
A and ttie public key of User B are deleted (step 950) from the memory of the 
cellular telephone, leaving no biometric infomfiation in the cellular telephone of 

10 User A. The "difference key" of User A is then created (step 955) by 
calculating the difference between tiie centroids (and/or ottier derived 
infomiation subsets) of tiie modified live-scan FP feature set of User A and 
the modified enrolled FP feature sets of User A (using an algorithm similar to 
that shown in Figure 3B). The "difference key" of User A is then used for 

15 streaming encryption (or real time scrambling) (step 960) of tiie audio speech 
or other data generated by User A. 

Steps 965 through 975 of Figure 9 shows tiie algorithmic sequence 
used to create the "difference key" of User B. which is used to unscramble (by 
'streaming decryption') the digital audio and other data generated by the 

20 cellular telephone of User B. User A receives (step 965) firom User B tiie 
encrypted centroid of the modified live-scan FP feature set of User B, which 
has been encrypted wrth the PKI public key of User A: User A then decrypts 
the centiToid of tiie modified live-scan FP feature set of User B with the PKI 
private key of User A. The "difference key" of User B is ttien reconstructed 

25 (step 970) by calculating the difference between the centroids (and/or ottier 
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derived information subsets) of the modified live-scan FP feature set of User 
B and the modified enrolled FP feature set of User B (using an algorithm 
similar to that shown in Figure 3B). Finally, the "difference key" of User B is 
used for streaming decryption (unscrambling) the audio and other data 
5 received from User B. 

The above descriptions are examples of methods to implement 
biometric certificates derived finom the biometric infonnation of fingerprints, as 
a means to increase the security of electronic messaging by requiring the 
physical Identity of both the sender and the receiver to be confimned. Any 

10 other biometric information is contemplated by the present invention, such as 
iris eye patterns. The above descriptions of method can also include 
additional security means, such as secret passwords, secret personal 
identification numbers (PIN numbers), physical keys or cards, serial numbers 
of biometric input devices and time stamps at the time of message origin. The 

15 above descriptions employ common asymmetric public/private key technology 
for convenience only; it is equally possible to implement biometric certificates 
by the use of secret keys that are securely exchanged between the sender 
and receiver by other means. Furthenmore, although email by means of the 
Internet is used by way of example, the disclosed methods and techniques of 

20 biometric certificates are employable with other information transport 
mechanisms (e.g. wireless communications protocols and broadband 
communication protocols). 

.While the principles of the invention have now been made dear in the 
illustrated embodiments, it will be Immediately obvious to those skilled in the 

25 art that many modifications may be made of structure, arrangements, and 
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algorithms used in the practice of the invention, and othenA/ise, which are 
particulariy adapted for specific environments and operational requirements, 
without departing from those principles. The claims are therefore intended to 
cover and embrace such modifications within the limits only of the true spirit 
5 and scope of the invention. 
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What is claimed is: 

1 . A method for exchanging electronic messages between a sender with an 
enrolled blometric feature set and a receiver with an enrolled biometric 
feature set, comprising: 

5 a. exchanging enrolled biometric feature sete between the sender and 

receiver; 

b. generating a live-scan biometric feature set of the sender; 

c. generating a difference key derived from the difference between the 
sender's live-scan biometric feature set and the sender's enrolled 

10 biometric feature set; , 

d. encrypting the message with the difference key; 

e. encrypting said sender's live-scan biometric feature set with an 
encryption key; 

f. transmitting to the receiver the encrypted message and said 
15 encrypted sender's live-scan biometric feature set; 

g. decrypting by the receiver said encrypted sender's live-scan 
biometric feabjre set' 

h. regenerating by the receiver the difference key by calculating the 
difference between said sender's live-scan biometric feature set 

20 and the sender's enrolled biometric feature set; 

i. decrypting the message by use of the regenerated difference key.. 

2. The mettiod of Claim 1, wherein the biometric feature set is a fingerprint 
feature set. 

25 
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3. The method of Claim 1 , further comprising the steps of: 

a. modifying the enrolled biometric feature set of a sender or receiver 
such that it is unique but still useful for the purposes of matching 
other biometric feature sets of the person to identify the individual; 
5 b. modifying multiple enrolled biometric feature sets such that each 

biometric feature set is unique; 

c. assigning one or more uniquely modified enrolled biometric feature 
sets to specific individuals with whom messages will be exchanged; 

d. securely exchanging unique modified enrolled biometric feature 
10 sets with individuals with whom messages will be exchanged. 

4. The method of Claim 2 whereby public key cryptographic techniques are 
used to securely exchange modified enrolled biometric feature sets. 

15 5. The method of Claim 1 , further comprising: 

a. generating a real-time biometric feature set by the sender during 
message exchange to assert the identity of the sender; 

b. generating a real-time biometric feature set by the receiver during 
message exchange to assert the identity of the receiver, 

20 c. validating the identity of the sender during message exchange; 

d. validating the identity of the receiver during message exchange. 


6. The method of Claim 1 , further comprising: 

a. detemnining the characteristics a first biometric feature set; 
25 b. detemiinlng the characteristics a second biometric feature set; 
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c. determining the differences between said characteristics of first 
and second biometric feature sets; 

d. creating an encryption/decryption key based on said differences. 

5 7. The method of Claims 1 and 6, Hirther comprising: 

c. using the differences between a real-time biometric feature set and 
enrolled biometric feature set to create a unique 
encryption/decryption key; 

d. using the unique encryption/decryption key to encrypt data during 
10 message exchange; 

e. securely exchanging real-time biometric feature sets by one or 
more parties during message exchange; 

f. reconstructing the unique encryption/decryption key by a remote 
party by using the differences between the characteristics of the 

15 exchanged real-time biometric feature set and the previously 

exchanged enrolled biometric feature set; 

g. using the unique encryption/decryption key by a remote parfy to 
decrypt the data sent with the message. 

20 8. The method of Claim 1 further comprising the transmission of the 
encrypted receiver's biometric feature set to the sender, allowing the 
sender to confimn that the proper person has received the message. 

9. A method for sending and recei^^ng of electronic messages comprising: 
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a. exchanging enrolled biometric feature sets between the sender and 
receiver, prior to the exchange of messages; 

b. generating one or more live-scan biometric feature sets of the 
sender during ttie process of sending messages; 

5 c. generating one or more live-scan biometric feature sets of the 

receiver during the process of receiving messages; 
d. generating a first difference key derived from the difference 
between the receiver's live-scan biometric feature set and the 
receiver's enrolled biometric feature set; 
10 e. encrypting data by the receiver with the first difference key and 

transmission of encrypted data from the receiver to the sender, 
f. conflnnlng the Identity of the receiver by the sender by decrypting a 
live-scan biometric feature set of the receiver and matching against 
the enrolled biometric feature set of the receiver; 
15 g. confirming the identity of the receiver by reconstmcting the first 

difference key, decrypting data from the receiver, and confirming 
the validity of the data; 

h. generating a second difference key derived from the diffierence 
between the sender's live-scan biometric feature set and the 

20 sender's enrolled biometric feature set; 

i. encrypting data by the sender with the second difference key; 
j. transmitting to the receiver of the encrypted data; 

k. decrypting by the receiver of the sender's live-scan biometric 
feature set to check the identity of the sender; 
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I. transmitting by the sender of message data encrypted by a 
difference Icey; 

m. regenerating by the receiver of the second difference l<ey by 
calculating the difference between the sender's live-scan biometric 
5 feature set and the sender's enrolled biometric feature set; 

n. decrypting of the message by use of the regenerated difference 
l<ey. 

10. The method of Claim 8, wherein the biometric feature set is a fingerprint 
10 feature set. 

1 1 . The method of Claim 8, further comprising: 

a. enrolled biometric feature set of an individual who wishes to send 
or receive messages; 
15 b. modifying the enrolled biometric feature set such that it unique but 

still useful for the purposes of matching other biometric feature set& 
of the individual and thus to identify or verify the identity of the 
individual; 

c. modifying of multiple enrolled biometric feature sets such that each 
20 biometric feature set is unique; 

e. assigning one or nnore uniquely modified enrolled biometric feature 
sets to specific individuals with whom messages will be exchanged; 

f. securely exchanging unique modified enrolled biometric feature 
sets with individuals with whom messages will be exchanged. 
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12. The method of Claim 9 whereby public key cryptographic techniques are 
used to securely exchange modified enrolled biometric feature sets. 

1 3. The method of Claim 8, further comprising: 

5 a. generating a real-time biometric feature set by the sender during 

message exchange to assert the identity of the sender; 

b. generating a real-time biometric feature set by the receiver during 
message exchange to assert the identity of the receiver, 

c. validating the identity of the sender during message exchange; 
10 d. validating the identity of the receiver during message exchange. 

14. The method of Claim 8, further comprising: 

a. detennining the characteristics a first biometric feature set; 

b. detemnining the characteristics a second biometric feature set; 

15 c. comparing the characteristics of the first and second biometric 

feature sets; 

d. detemnining the differences between the characteristics of the first 
and second biometric feature sets; 

e. creating an encryption/decryption key based on the differences 
20 between the characteristics of the first and second biometric feature 

sets. 


1 5. The method of Claims 8 and 1 3, further comprising: 
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